Your Wi-Fi router isn't just a box that distributes internet. It's the gateway to your digital life: banking, personal correspondence, your smart home, and even your security cameras. KasperskyOne in five routers in Russia is vulnerable to attacks due to factory settings or outdated software. Meanwhile, 68% of users never change the default passwords on their devices.
Hackers aren't the only problem. Neighbors accidentally connecting to your network can slow down your speed. Bots scan vulnerable routers for DDoS attacks or cryptocurrency mining. And if an attacker gains access to your router's admin panel, they can redirect your traffic to phishing sites—even if you enter the correct bank address.
In this article - Step-by-step instructions for protecting your router Against all types of threats: from a simple password change to advanced settings like device isolation and MAC address blocking. We'll analyze real-life Wi-Fi data leak cases, show you how to test your router for vulnerabilities, and provide a monthly security monitoring checklist.
1. Change the factory login and password for the admin panel
Most routers use combinations like admin/admin, admin/1234 or admin/blank passwordThis data can be easily googled by device model. For example, for TP-Link Archer C6 standard login and password - admin, and for ASUS RT-AX88U — admin without password.
How to change:
- 🔧 Open your browser and enter the router's IP address (usually
192.168.0.1or192.168.1.1). The address is indicated on the device sticker. - 🔐 Enter the factory login and password (if you haven't changed them). If they don't work, reset the router using the reset button.
Reset(hold for 10 seconds). - 🔄 Go to the section
System Preferences(orAdministration) →User Management. - 🆔 Come up with a new login (not
admin!) and a password of length at least 12 characters with numbers, letters and special characters.
Critical errorMany users change their Wi-Fi password but forget about the admin panel. Hackers scan networks for open ports (for example, 80 or 8080) and select standard combinations in a matter of minutes.
⚠️ Attention: If your router supports remote management via the cloud (for example, TP-Link Tether or ASUS Router App), disable this feature in the settings. It creates an additional entry point for attacks.
2. Set up WPA3 encryption and disable legacy protocols
The encryption type determines how easy it is for someone to intercept and decrypt your traffic. Outdated standards like WEP or WPA can be hacked in minutes using free tools like Aircrack-ng.
The best choice for 2026 is WPA3-Personal (or WPA2/WPA3 Transition Mode for compatibility with older devices). It protects against dictionary attacks and provides individual traffic encryption for each connected device.
| Protocol | Security level | Time to hack (using primitive methods) | Do modern devices support it? |
|---|---|---|---|
| WEP | ❌ Extremely low | <5 minutes | Yes (but don't use it!) |
| WPA (TKIP) | ⚠️ Low | From 10 minutes to several hours | Yes |
| WPA2 (AES) | ✅ High | From several days (with a weak password) | Yes |
| WPA3-Personal | ✅✅ Maximum | Almost impossible* | Yes (devices after 2018) |
*Provided that the password is complex and there are no vulnerabilities in the firmware.
How to set up:
- Log into your router's admin panel.
- Go to the section
Wireless network(orWireless). - Select
WPA3-Personalon the menuSecurity Mode(orSecurity). - Set the password length at least 15 characters (use a password generator).
⚠️ AttentionIf your router doesn't support WPA3, update the firmware (see Section 5). If there are no updates, consider purchasing a new device (recommended models: ASUS RT-AX86U, TP-Link Archer AX6000, Keenetic Ultra).
3. Disable WPS and UPnP – hidden loopholes for hackers
WPS (Wi-Fi Protected Setup) — a function for quickly connecting devices using a PIN code. The problem is that the PIN consists of 8 digits, and it can be brute-forced in 4-10 hours (even without physical access to the router). The attack is called Pixie Dust and works against most routers manufactured before 2020.
UPnP (Universal Plug and Play) Automatically opens ports on your router for devices on your local network. This is convenient for online gaming or torrents, but dangerous: malware can use UPnP to bypass your firewall and gain access to your network from outside.
How to disable:
- 🔌 WPS:
Wireless Network → WPS → Disable(orDisable WPS). On some routers the option is hidden inAdditional settings. - 🌐 UPnP:
Local Network → UPnP → Disable(orAdvanced → UPnP → Disable).
What happens if I don't disable WPS?
Hackers can bruteforce the PIN code even without physical access to the router. They can then obtain the Wi-Fi password or change the router's settings. In 2023, over 100,000 routers in Europe were hacked using a WPS vulnerability to mine cryptocurrency.
Exception: If you really need the feature WPS To connect devices without a screen (such as a printer), turn it on temporarily and turn it off immediately after use.
4. Create a guest network for visitors and IoT devices
A guest network isolates connected devices from your main local network. This means:
- 📱 Guests won't see your shared folders or printers.
- 🔒 Smart light bulbs, cameras, or speakers won't be able to infect your computer if they're hacked.
- 📶 Your internet speed won't drop due to torrents or updates on other people's devices.
How to set up:
- Find the section in the router admin panel
Guest network(orGuest Network). - Turn on guest Wi-Fi and set a separate network name (for example,
MyHome_Guest). - Set a password (it can be simpler than for the main network).
- In the security settings, select
Isolate devices(orEnable AP Isolation). - Limit the speed (optional): eg 10 Mbps for guests.
☑️ Setting up a guest network
Tip: Connect everything to the guest network IoT devices (smart plugs, cameras, speakers). They often have vulnerabilities and become entry points for attacks on the entire network.
5. Update your router firmware to the latest version
Manufacturers regularly release updates that patch critical vulnerabilities. For example, in 2023, a flaw was discovered CVE-2023-1389 in routers ASUS, allowing hackers to execute code remotely. A firmware update patched this vulnerability within days.
How to update:
- Log into your router's admin panel.
- Find the section
Software update(orFirmware Update). - Click
Check for updatesIf there is a new version, install it. - Do not turn off the router during the update (this may brick the device).
If automatic update does not work:
- 🔍 Check the router model (indicated on the sticker).
- 🌍 Go to the manufacturer's official website and find the support section.
- 📥 Download the latest firmware for your model.
- 🔄 Upload it manually through the admin panel.
⚠️ AttentionInterface details and update availability vary by router model. If your device is older than 5 years, check the manufacturer's website to see if it's supported. Some brands (e.g., D-Link) stop releasing updates for older models after 2–3 years.
6. Enable firewall and MAC address filtering
Router firewall Blocks suspicious connections from the outside. For example, it can block port scans or attacks like SYN-floodMost routers have a firewall enabled by default, but its settings can be tightened.
How to set up:
- 🛡️ Find the section in the admin panel
Security→Firewall(orFirewall). - 🔒 Enable options
Protection against DoS attacks,ICMP filteringAndBlocking anonymous requests. - 🌐 Turn it off
Remote control(if you don't use it).
MAC address filtering Allows only authorized devices to connect to the network. This isn't a panacea (MAC addresses can be spoofed), but it adds an extra layer of security.
How to set up:
- Find the section
Wireless network→MAC filter. - Turn on filtering and select the mode
Allow only specified. - Add the MAC addresses of your devices (you can find them in the smartphone/PC settings or via the command
ipconfig /allin Windows).
7. Check connected devices and block suspicious ones
Regularly auditing your network devices will help you detect unauthorized connections. For example, if you see an unknown device named Android_1234 or Unknown Device, this could be a sign of a hack.
How to check:
- 📊 In the router admin panel, find the section
Connected devices(orDHCP Clients List). - 🔍 Review the list. Look for any unknown names or MAC addresses.
- 🚫 If you find a suspicious device, block it by MAC address or change the Wi-Fi password.
Signs of hacking:
- 📉 Unexpected drop in internet speed.
- 🔄 The router reboots spontaneously.
- 🌐 Unknown gadgets appear in the list of devices.
- 🔒 Router settings have been changed (for example, DNS servers).
8. Additional measures: VPN, cloud antivirus, and physical security
If you store critical data or handle finances, consider additional measures:
- 🔐 VPN on a router: Set up a VPN server (for example, WireGuard or OpenVPN) directly on the router. This will encrypt all traffic, including smart devices. Supported ASUS, Keenetic and routers with firmware DD-WRT.
- 🛡️ Cloud antivirus for the network: Services like Bitdefender Box or Cujo AI scan traffic at the router level and block malicious websites.
- 🏠 Physical protection: Hide the router in a closed space (for example, in a closet) and turn off the button
WPS(if any). This will protect against attacks through physical access.
For advanced users:
Configuring DD-WRT for Maximum Security
DD-WRT firmware allows for flexible router configuration: disable unnecessary services, configure a firewall using iptables, and even run a Tor node. However, it requires technical knowledge and can brick the device if installed incorrectly.
If your router doesn't support advanced features, consider purchasing a model that does. VPN servers or IPS/IDS (intrusion detection systems). For example, Keenetic Ultra has a built-in firewall and support Yandex DNS to block dangerous websites.
FAQ: Frequently asked questions about Wi-Fi router security
Is it possible to hack a router via WPS if it is disabled?
No, not if WPS is completely disabled in the settings. However, some routers leave the service active even after "disabling" it in the web interface. To check, use the utility Wash (included in the package) Aircrack-ngIf the router responds to WPS requests, reset it to factory settings and update the firmware.
How often should I change my Wi-Fi password?
The minimum recommendation is once every 3-6 months. If you suspect a hack (for example, unknown devices appear on the network), change your password immediately. Use passwords with a length of at least 15 characters with mixed case, numbers and special characters.
My router doesn't support WPA3. What should I do?
If the firmware update does not add WPA3, consider purchasing a new router. An alternative is to use WPA2 with AES encryption and additionally include PMF (Protected Management Frames) in the security settings. This will protect against attacks like KRACK.
How to protect your router from attacks through firmware vulnerabilities?
- Update your firmware regularly (every 1–2 months).
- Disable remote control and WAN access.
- Use OpenWRT or DD-WRT (if supported) - these firmwares are updated more frequently than stock ones.
- Subscribe to vulnerability alerts (e.g. CVE Details) for your router model.
Should I hide my SSID (network name)?
Hiding SSID (Hide SSID) does not improve security - experienced hackers can easily find the network using Wireshark or Airodump-ngMoreover, this creates inconvenience for legitimate users. It's better to spend time setting it up. WPA3 And firewall.